View Full Version : please help
hello, this is my first post. some days ago suddenly the command prompt of my computer poped up and started to write somthing itself. sometime after it my symantec antivirus started to pop up messages that this mail cannot be sent because its spam. i didnt send any mail and i am sure that a kind of malware took control of my computer. neither symantec nor spybot in safe mode found somthing. i will be greatful if somone can help me.
below two logs, one of online panada scaning and he other of HJT
this online virus check of PANDA:
Incident Status Location
Adware:adware/superspider Not disinfected c:\windows\system32\a.exe
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\yesples\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\yesples\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\cookies.txt[ad.yieldmanager.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\yesples\Local Settings\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\Cache(2)\633285D9d01[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\yesples\Local Settings\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\Cache(2)\633285D9d01[SmitfraudFix/restart.exe]
and this is the log of HJT:
Logfile of HijackThis v1.99.1
Scan saved at 23:25:29, on 30/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Babylon\Babylon.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tango.huji.ac.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSMSGNER] C:\WINDOWS\system32\a.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://tango.huji.ac.il/sre/ICSScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://tango.huji.ac.il/SNX/CSHELL/extender.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: psfus - C:\Program Files\IBM fingerprint software\psfus.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
pskelley
2007-07-31, 14:38
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I am sorry, if you still need help, this one is a little hard to identify, but one way or another it is trouble.
C:\WINDOWS\system32\a.exe
O4 - HKLM\..\Run: [MSMSGNER] C:\WINDOWS\system32\a.exe
I am guessing it is this: http://www.liutilities.com/products/wintaskspro/processlibrary/a/
and suggest you notify everyone in your address book of the infection.
Here is the Google: http://www.google.com/search?hl=en&q=a.exe&btnG=Google+Search
What worries me is a scan of the name: MSMSGNER returns this:
http://www.google.com/search?hl=en&q=MSMSGNER&btnG=Search
http://www.sophos.com/security/analyses/trojfowldogen.html
Which would make it a very dangerous backdoor trojan, you can scan the file with one or more of these free scanners to find out:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
You may want to look at this information: http://www.dslreports.com/faq/10451
I would certainly scan it to find out what you are up against, then let's try to remove the trojan.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(if you are positive this is safe you may leave it. It tried to install something on my PC which was blocked)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tango.huji.ac.il/
O4 - HKLM\..\Run: [MSMSGNER] C:\WINDOWS\system32\a.exe
Trojan
(same as the RO...if you know it you may leave it, does not identify)
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://tango.huji.ac.il/SNX/CSHELL/extender.cab
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\a.exe <<< delete that file
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log. Post the scan information and any comments you think will help.
Thanks
thank you very much. i hope that you solved the problem. if i will have that problem again i will post it. right now the problem is gone. thanks a lot
here is the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 16:03:00, on 31/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Babylon\Babylon.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HijackThis\yesples.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tango.huji.ac.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://tango.huji.ac.il/sre/ICSScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://tango.huji.ac.il/SNX/CSHELL/extender.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: psfus - C:\Program Files\IBM fingerprint software\psfus.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
pskelley
2007-07-31, 23:09
Thanks for returning your information and the feedback. Please read this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe <<< you will want to check this, the scheduler is running but Java is out of date. Download the newest version and uninstall all old versions in Add Remove Programs.
I personally do not trust the buggy scheduler and update my Java manually myself.
Please assure me you know this program: C:\WINDOWS\CameraFixer.exe
I believe we should run another good scanner to make sure nothing is hiding from HJT.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
If you do not feel this is necessary, then finish up like this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
i am not sure that i know the file you've mentioned (C:\WINDOWS\CameraFixer.exe). how can i be sure?
the kasparsky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 01, 2007 12:31:24 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 1/08/2007
Kaspersky Anti-Virus database records: 347468
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 38106
Number of viruses found: 3
Number of infected objects: 4 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:04:19
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980000.VBN Infected: Backdoor.Win32.Mytobor.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08DC0000.VBN Infected: Backdoor.Win32.Mytobor.c skipped
C:\Documents and Settings\dannyg\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\dannyg\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Microsoft\Outlook\OUTLOOK.NK2 Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Microsoft\Outlook\OUTLOOK.srs Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Microsoft\Word\STARTUP\EN9Cwyw.dot Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\cert8.db Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\history.dat Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\key3.db Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\parent.lock Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\search.sqlite Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\call256.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\callmember256.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\chat256.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\chat512.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\index2.dat Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\profile256.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\transfer256.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\transfer512.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\user1024.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\user16384.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\user256.dbb Object is locked skipped
C:\Documents and Settings\yesples\Application Data\Skype\yesples1\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\yesples\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Babylon\log_file.txt Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\dbdam Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\dbdao Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\dbeam Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\dbeao Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\dbm Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\fii.cf1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\fiih.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\hp Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\rpm.cf1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Google\Google Desktop\4409f41ea77e\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Application Data\Mozilla\Firefox\Profiles\6aa316im.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\History\History.IE5\MSHist012007073120070801\index.dat Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Temp\~DF9AC9.tmp Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Temp\~DFA7A3.tmp Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Temp\~DFC4BA.tmp Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Temp\~DFE6BD.tmp Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Temp\~WRD0000.doc Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Temp\~WRF0001.tmp Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\yesples\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yesples\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\yesples\NtUser.dat.LOG Object is locked skipped
C:\My Documents\OUTLOOK\Outlook.pst Object is locked skipped
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C54F4546-9D10-437B-A3DF-B3348E70DBCD}\RP2\A0001119.exe Infected: Backdoor.Win32.Bifrose.acs skipped
C:\System Volume Information\_restore{C54F4546-9D10-437B-A3DF-B3348E70DBCD}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DC138DA1-1DEB-4B62-9DFD-190F83785858}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mwyts.exe Infected: Trojan-Downloader.Win32.Tiny.ho skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
pskelley
2007-08-01, 12:32
Good morning, you said
i am not sure that i know the file you've mentioned (C:\WINDOWS\CameraFixer.exe). how can i be sure?Is this your computer? Google does not supply much information about the file, have a look: http://www.google.com/search?hl=en&q=CameraFixer.exe&btnG=Google+Search
http://www.google.com/search?hl=en&q=CameraFixer&btnG=Search
It is probably something installed to repair a camera issue but since the hackers call their junk what the wish, it is best to be sure.
You can navigate to the file: C:\WINDOWS\CameraFixer.exe <<< and right click on it, then choose Properties. See if you can tell what it is from there OR
You can use this free online scan to make sure it is not bad: http://www.virustotal.com/
Post the results if you are unsure about them.
KASPERSKY ONLINE SCANNER REPORT Wednesday, August 01, 2007 12:31:24 AM
Number of infected objects: 4 / 0
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\ <<< delete the contents of that folder
I will post the instructions I have, if they do not work you will need to contact Symantec for instructions. The items can not get out of quarantine, but I would suggest you learn how to clean the folder.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506
C:\WINDOWS\system32\mwyts.exe <<< delete that file...it is still on your computer and dangerous so make sure it is gone.
Infected: Trojan-Downloader.Win32.Tiny.ho skipped
C:\System Volume Information\_restore{C54F4546-9D10-437B-A3DF-B3348E70DBCD}\RP2\A0001119.exe Infected: Backdoor.Win32.Bifrose.acs skipped
Be sure the above items are finished and you reboot the computer before you clean System Restore files or it will backup the bad stuff again.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Safe Surfing:bigthumb:...if you have any questions please post them.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
thanks for the quick and good help
after aplying your advise while i was away from home, it seemed that everything is fine. when i came home and started using my neighbor WiFi the problem started again. could it be somthing that is not in my computer?
i attached printscreen that you can see the problem.
do you or anyone have an idea?
thanks
p.s: i can't attach because the file is too big
pskelley
2007-08-10, 13:12
Please don't post a gif/jpeg picture to show the problem, they are not needed and also hard on anyone who uses dialup. The logs will suffice and are best read in default black font, thank you.
I never received this notification, I see you said this:
when i came home and started using my neighbor WiFi the problem started again. could it be somthing that is not in my computer?I remove malware here and would be glad to take another look for any, but I know nothing about WiFi or your Neighbor's WiFi. If you have not resolved this issue and believe it has anything to do with malware, then post the HJT log and I will take another look.
Thanks
pskelley
2007-08-18, 02:39
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.